file-mongodb-auth-disabled: MongoDB Authentication Disabled

日期: 2025-08-01 | 影响软件: MongoDB | POC: 已公开

漏洞描述

Detects if MongoDB authentication is disabled or missing in mongod.conf. If 'authorization: enabled' is missing under 'security:', authentication is not enforced.

PoC代码[已公开]

id: file-mongodb-auth-disabled

info:
  name: MongoDB Authentication Disabled
  author: pussycat0x
  severity: high
  description: |
    Detects if MongoDB authentication is disabled or missing in mongod.conf. If 'authorization: enabled' is missing under 'security:', authentication is not enforced.
  reference:
    - https://wiki.devsecopsguides.com/docs/checklists/mongodb/
    - https://wiki.devsecopsguides.com/docs/checklists/mongodb/
  metadata:
    verified: true
  tags: file,mongodb,audit,hardening

file:
  - extensions:
      - conf

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "storage"
          - "operationProfiling"
          - "#security"
        condition: and

      - type: word
        words:
          - "authorization: enabled"
        negative: true
# digest: 490a0046304402203908544123052db08fd523dc16090b44c17b03c8012ca0ca49145c22548e49a30220673d23799471c1c3380e7d46b6b38f3abfdbaae0f0f33713e7ecf882c1601ba7:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./file/audit/mongodb/file-mongodb-auth-disabled.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐